CN109361663B

CN109361663B - Method, system and device for accessing encrypted data

Info

Publication number: CN109361663B
Application number: CN201811179863.4A
Authority: CN
Inventors: 潘云鹏
Original assignee: Avic Trust Co ltd
Current assignee: Avic Trust Co ltd
Priority date: 2018-10-10
Filing date: 2018-10-10
Publication date: 2021-05-28
Anticipated expiration: 2038-10-10
Also published as: CN109361663A

Abstract

The application discloses a method, a system and a device for accessing encrypted data, wherein the method comprises the following steps: the first key management center receives an encrypted data access request comprising an encrypted identifier and a first identity identifier and sends the encrypted data access request to the authorization center; if the authorization center judges that the second client authorizes the encryption access authority of the first client corresponding to the encryption identifier according to the first identity identifier, the second client authorizes the encryption access authority of the first client corresponding to the encryption identifier and then sends the encryption access authority to the second key management center; the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier, decrypts the first encrypted data to obtain decrypted data, encrypts the decrypted data by using the first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center; and the first key management center decrypts the second encrypted data according to the first private key to obtain decrypted data and sends the decrypted data to the first client. Therefore, the authorization judgment of the authorization center is utilized to improve the flexibility, timeliness and manageability of the authorization of the encryption access authority, effectively protect the original encrypted data and reduce the leakage risk generated by the shared encryption key.

Description

Method, system and device for accessing encrypted data

Technical Field

The present application relates to the field of blockchain information security technologies, and in particular, to a method, a system, and a device for accessing encrypted data.

Background

At the present stage, with the development of science and technology, the application of a blockchain technology for realizing data exchange, processing and storage among multiple participating bodies based on the technical combination of modern cryptography, a distributed consistency protocol, a point-to-point network communication technology, an intelligent contract programming language and the like is more and more extensive, and the blockchain technology has the characteristics of distribution, openness and transparency, non-falsification, collective maintenance, privacy protection and the like. The mainstream block chain is divided into a public chain, a private chain and a alliance chain, wherein the alliance chain is formed by certain benefit cooperation, and each participant in the alliance chain has a strong data confidentiality requirement.

Generally, a business-related party of a federation chain can access business data linked by a plurality of other business-related parties, a non-business-related party cannot access business data of other members of the federation chain, and particularly, in the financial industry, the requirement on confidentiality of the financial business data is extremely high, and the access of encrypted data among all participating parties of the federation chain needs to be controlled. In the prior art, before a node related to a federation chain receives a private transaction, a transaction management center obtains corresponding encrypted data and an encryption key through a P2P connection mode, calls the transaction management center to obtain the encrypted data and the encryption key after the node receives the private transaction verification correlation, and decrypts the encrypted data by using the encryption key to obtain decrypted data so as to complete access to the encrypted data.

However, the inventor has found through research that, in the prior art, related nodes are connected and shared through P2P in advance to obtain encrypted data and an encryption key for private transactions, that is, the related nodes have encrypted access authorization, and there is a risk of leakage of the encrypted data and the encryption key, and the encrypted data cannot be effectively protected; and in the process of block chain data broadcasting, whether the related nodes have the encrypted access authorization is fixed, once the authorization cannot be withdrawn, and the flexibility, timeliness and manageability are poor.

Disclosure of Invention

The technical problem to be solved by the application is to provide a related method, a system and a related device for accessing encrypted data, which improve the flexibility, timeliness and manageability of the authorization of the encrypted access authority by using the authorization judgment of an authorization center, realize the effective protection of the original encrypted data and reduce the leakage risk of the encrypted data on the premise of not sharing the encrypted data and the encryption key among all participating bodies in a alliance chain.

In a first aspect, an embodiment of the present application provides a method for accessing encrypted data, where the method is applied to an encrypted data access system, and the method includes:

a first key management center receives an encrypted data access request of a first client to a second client, which is sent by the first client, and sends the encrypted data access request to an authorization center; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

if the authorization center judges that the second client authorizes the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends the encrypted data access request to a second key management center;

the second key management center obtains first encrypted data and an encryption key according to the encryption identifier, decrypts the first encrypted data by using the encryption key to obtain decrypted data, encrypts the decrypted data by using a first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center according to the first identity identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center;

the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

Optionally, the encrypted identifier is a unique identifier generated by the second key management center and corresponding to each of the first encrypted data, the encryption key, and the encrypted data access request.

Optionally, the encrypted access right is obtained by the authorization center receiving an encrypted access right request sent by the first client, sending the encrypted access right request to the second client, and returning the encrypted access right request to the authorization center after the second client performs processing authorization.

Optionally, the encrypted access right is obtained by the authorization center receiving the encrypted access granted by the second client to the first client, where the second client is actively sent by the second client.

Optionally, the method further includes:

and if the authorization center judges that the second client does not authorize the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center rejects the encrypted data access request.

In a second aspect, an embodiment of the present application provides a method for accessing encrypted data, where the method is applied to a first key management center, and the method includes:

receiving a data access request sent by a first client to a second client by the first client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

sending the encrypted data access request to an authorization center, so that if the authorization center judges that the second client authorizes the encrypted access right of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends the encrypted data access request to a second key management center, and the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, and the encryption key is generated and stored in advance by the second key management center;

receiving second encrypted data sent by the first key management center according to the first identity; the second encrypted data is obtained by the second key management center decrypting the first encrypted data by using the encryption key to obtain decrypted data and encrypting the decrypted data by using a first public key, wherein the first public key is generated and sent by the first key management center in advance;

decrypting the second encrypted data according to a first private key symmetrical to the first public key to obtain the decrypted data, and sending the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

In a third aspect, an embodiment of the present application provides a method for accessing encrypted data, where the method is applied to an authorization center, and the method includes:

receiving a data access request sent by a first key management center and sent by a first client and encrypted by the first client to a second client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

if the encrypted access authority of the first client corresponding to the encrypted identifier is authorized by the second client according to the first identity identifier, sending the encrypted data access request to a second key management center, so that the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier, decrypting the first encrypted data by using the encrypted key to obtain decrypted data, encrypting the decrypted data by using a first public key to obtain second encrypted data, sending the second encrypted data to the first key management center according to the first identity identifier, so that the first key management center decrypts the second encrypted data according to a first private key symmetrical to the first public key to obtain the decrypted data, and sending the decrypted data to the first client; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, the first public key is generated and sent in advance by the first key management center, and the first private key is generated and stored in advance by the first key management center.

Optionally, the method further includes:

receiving an encrypted access permission request of the first client to the second client, which is sent by the first client;

sending the encrypted access permission request to the second client;

and receiving the encrypted access right sent by the second client after processing the encrypted access right authorization request.

Optionally, the method further includes:

and receiving the encrypted access authority, which is actively sent by the second client, of the second client to authorize the encrypted access of the first client.

Optionally, the method further includes:

and if the encrypted access authority of the first client corresponding to the encrypted identifier is not authorized by the second client according to the first identity identifier, rejecting the encrypted data access request.

In a fourth aspect, an embodiment of the present application provides a method for accessing encrypted data, where the method is applied to a second key management center, and the method includes:

if an authorization center judges that a second client side encrypts a data access request according to an encrypted access right of the second client side authorized by a first client side and corresponding to an encrypted identifier, wherein the encrypted data access request is sent by the authorization center and originated from the first client side and comprises a first identity identifier and the encrypted identifier corresponding to the first client side;

obtaining first encrypted data and an encryption key according to the encryption identifier, decrypting the first encrypted data by using the encryption key to obtain decrypted data, and encrypting the decrypted data by using a first public key to obtain second encrypted data; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center;

and sending the second encrypted data to the first key management center according to the first identity, so that the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client, wherein the first private key is generated and stored in advance by the first key management center.

In a fifth aspect, an embodiment of the present application provides an encrypted data access system, where the apparatus includes: the system comprises a first key management center, an authorization center and a second key management center;

the first key management center is used for receiving an encrypted data access request of a first client to a second client, which is sent by the first client, and sending the encrypted data access request to an authorization center; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

the authorization center is used for judging and obtaining the encrypted access authority of the second client to authorize the first client to correspond to the encrypted identifier according to the first identity identifier, and the authorization center sends the encrypted data access request to a second key management center;

the second key management center is used for obtaining first encrypted data and an encrypted key according to the encrypted identifier, decrypting the first encrypted data by using the encrypted key to obtain decrypted data, encrypting the decrypted data by using a first public key to obtain second encrypted data, and sending the second encrypted data to the first key management center according to the first identity identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center;

the first key management center is further configured to decrypt the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and send the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

In a sixth aspect, an embodiment of the present application provides an apparatus for accessing encrypted data, where the apparatus is applied to a first key management center, and the apparatus includes:

the first receiving unit is used for receiving an access request of a first client to encrypted data of a second client, which is sent by the first client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

a first sending unit, configured to send the encrypted data access request to an authorization center, so that if the authorization center determines, according to the first identity identifier, that the second client authorizes the first client to obtain an encrypted access right corresponding to the encrypted identifier, the authorization center sends the encrypted data access request to a second key management center, and the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, and the encryption key is generated and stored in advance by the second key management center;

a second receiving unit, configured to receive second encrypted data sent by the first key management center according to the first identity; the second encrypted data is obtained by the second key management center decrypting the first encrypted data by using the encryption key to obtain decrypted data and encrypting the decrypted data by using a first public key, wherein the first public key is generated and sent by the first key management center in advance;

a decryption sending unit, configured to decrypt the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and send the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

In a seventh aspect, an embodiment of the present application provides an apparatus for accessing encrypted data, where the apparatus is applied to an authorization center, and the apparatus includes:

a third receiving unit, configured to receive an encrypted data access request, sent by a first key management center, from a first client to a second client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

a second sending unit, configured to send the encrypted data access request to a second key management center if it is determined, according to the first identity identifier, that the second client authorizes the encrypted access right of the first client corresponding to the encrypted identifier, enabling the second key management center to obtain first encrypted data and an encryption key according to the encryption identifier, decrypting the first encrypted data by using the encryption key to obtain decrypted data, encrypting the decrypted data by using a first public key to obtain second encrypted data, and to send the second encrypted data to the first key management center in accordance with the first identity, so that the first key management center decrypts the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, the first public key is generated and sent in advance by the first key management center, and the first private key is generated and stored in advance by the first key management center.

In an eighth aspect, an embodiment of the present application provides an apparatus for accessing encrypted data, where the apparatus is applied to a second key management center, and the apparatus includes:

a fourth receiving unit, configured to receive, if an authorization center determines, according to an encrypted data access request, sent by a first key management center, from a first client to a second client, that the first client includes a first identity and an encrypted identifier corresponding to the first client, and when it is determined that the second client authorizes an encrypted access right of the first client corresponding to the encrypted identifier, the encrypted data access request sent by the authorization center;

an obtaining unit, configured to obtain first encrypted data and an encryption key according to the encryption identifier, decrypt the first encrypted data with the encryption key to obtain decrypted data, and encrypt the decrypted data with a first public key to obtain second encrypted data; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center;

a third sending unit, configured to send the second encrypted data to the first key management center according to the first identity, so that the first key management center decrypts the second encrypted data according to a first private key that is symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client, where the first private key is generated and stored in advance by the first key management center.

Compared with the prior art, the method has the advantages that:

by adopting the technical scheme of the embodiment of the application, the first key management center receives an encrypted data access request which is sent by the first client and comprises an encrypted identifier and a first identity identifier corresponding to the first client; sending an encrypted data access request to an authorization center; if the authorization center judges that the second client authorizes the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends an encrypted data access request to the second key management center; the second key management center obtains first encrypted data and an encryption key according to the encryption identifier, decrypts the first encrypted data by using the encryption key to obtain decrypted data, encrypts the decrypted data by using the first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center according to the first identity identifier; the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain decrypted data, and sends the decrypted data to the first client. Therefore, the second key management center does not send the first encrypted data and the encrypted key to the first key management center any more, but utilizes the authorization judgment of the authorization center to improve the flexibility, timeliness and manageability of the authorization of the encrypted access authority, so that the original encrypted data is effectively protected on the premise that the encrypted data and the encrypted key are not shared among all participating bodies in a alliance chain, and the encrypted data leakage risk is reduced.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a signaling diagram of a method for accessing encrypted data in the prior art according to an embodiment of the present application;

fig. 2 is a schematic diagram of a system framework related to an application scenario provided in an embodiment of the present application;

fig. 3 is a signaling diagram of a method for accessing encrypted data according to an embodiment of the present application;

fig. 4 is a schematic flowchart of a method for accessing encrypted data according to an embodiment of the present application;

FIG. 5 is a schematic flow chart illustrating another method for accessing encrypted data according to an embodiment of the present disclosure;

FIG. 6 is a schematic flow chart illustrating another method for accessing encrypted data according to an embodiment of the present disclosure;

fig. 7 is a schematic structural diagram of an encrypted data access system according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of an apparatus for encrypted data access according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of another apparatus for encrypted data access according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of another apparatus for encrypted data access according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Generally, the uplink service data confidentiality of the alliance chain formed in the financial industry is extremely high, and the access of encrypted data among all participating main bodies of the alliance chain needs to be controlled, service-related parties can access the service data uplink by a plurality of other service-related parties, and non-service-related parties cannot access the service data of other members of the alliance chain. For example, as shown in fig. 1, in a signaling diagram of a method for accessing encrypted data in the prior art, before a first federation chain related node receives a private transaction, a corresponding first transaction management center obtains encrypted data and an encryption key sent by a second transaction management center through a P2P connection, so that after the first federation chain related node obtains the private transaction from the second federation chain related node, whether service-related verification is performed, if so, the first federation chain related node sends a request for the first client to encrypt data to the second client to the first transaction management center, and the first transaction management center obtains the encrypted data and the encryption key, decrypts the encrypted data by using the encryption key, and then obtains decrypted data and returns to the first federation chain related node, thereby completing access to the encrypted data.

However, the inventor has found through research that in the prior art, the related nodes are connected and shared in advance through P2P to obtain the encrypted data and the encryption key for the private transaction, that is, the related nodes have encrypted access authorization, and there is a risk of leakage of the encrypted data and the encryption key, and the encrypted data cannot be effectively protected; and in the process of block chain data broadcasting, whether the related nodes have the encrypted access authorization is fixed, once the authorization cannot be withdrawn, and the flexibility, timeliness and manageability are poor.

In order to solve the problem, in the embodiment of the application, the first key management center receives an encrypted data access request which is sent by a first client and comprises an encrypted identifier and a first identity identifier corresponding to the first client; sending an encrypted data access request to an authorization center; if the authorization center judges that the second client authorizes the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends an encrypted data access request to the second key management center; the second key management center obtains first encrypted data and an encryption key according to the encryption identifier, decrypts the first encrypted data by using the encryption key to obtain decrypted data, encrypts the decrypted data by using the first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center according to the first identity identifier; the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain decrypted data, and sends the decrypted data to the first client. Therefore, the second key management center does not send the first encrypted data and the encrypted key to the first key management center any more, but utilizes the authorization judgment of the authorization center to improve the flexibility, timeliness and manageability of the authorization of the encrypted access authority, so that the original encrypted data is effectively protected on the premise that the encrypted data and the encrypted key are not shared among all participating bodies in a alliance chain, and the encrypted data leakage risk is reduced.

For example, one of the scenarios in the embodiment of the present application may be applied to the scenario shown in fig. 2, where the scenario includes a first client 201, a first key management center 202, a first blockchain node 203, an authorization center 204, a second client 205, a second key management center 206, and a second blockchain node 207. The big premise is as follows: the second client 205 firstly encrypts part of transaction data by calling the second key management center 206 to generate an encryption key, first encrypted data and a corresponding encryption identifier, assembles the encryption key, the first encrypted data and the corresponding encryption identifier into a transaction, and sends the transaction to the second blockchain node 207 for verification, and the verified second blockchain node 207 broadcasts the transaction to the first blockchain node 203; the first key management center 202 generates a first public key and a first private key that are symmetric, and transmits the first public key to the second key management center 206. The encryption key may be a symmetric key or an asymmetric key.

The first client 201 sends to the first key management center 202 an encrypted data access request comprising an encrypted identification and a first identity identification corresponding to the first client 201 for the second client 205 by the first client 201. The first key management center 202 sends an encrypted data access request to the authority 204. If the authorization center 204 determines, according to the identity, that the second client 205 authorizes the encrypted access right of the first client 201 corresponding to the encrypted identifier, the authorization center 204 sends an encrypted data access request to the second key management center 206. The second key management center 206 obtains the first encrypted data and the encryption key from the second blockchain node 207 according to the encryption identifier, decrypts the first encrypted data with the encryption key to obtain decrypted data, encrypts the decrypted data with the first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center 202 according to the first identity identifier. The first key management center 202 decrypts the second encrypted data according to the first private key symmetric to the first public key to obtain decrypted data, and sends the decrypted data to the first client 201.

It is to be understood that the above scenario is only one example of a scenario provided in the embodiment of the present application, and the embodiment of the present application is not limited to this scenario.

Specific implementation manners of the related method, the related system and the related device for accessing encrypted data in the embodiments of the present application are described in detail below with reference to the accompanying drawings.

Exemplary method

The method comprises the following steps that a second client side firstly calls a second key management center to encrypt part of data, the second key management center generates an encryption key, the encryption key is used for encrypting the part of data to obtain first encrypted data, meanwhile, a unique identifier is generated to serve as an encryption identifier, the corresponding relation between the encryption identifier and the first encrypted data and the encryption key is established, the second client side obtains the first encrypted data and the encryption identifier returned by the second key management center, a transaction is assembled and sent to a corresponding second block chain node for verification, the transaction is broadcasted to the block chain node corresponding to the first client side after verification, and the first client side accesses the encrypted data of the second client side.

Referring to fig. 3, a signaling diagram of a method for accessing encrypted data in an embodiment of the present application is shown, and is applied to an encrypted data access system. In this embodiment, the method may include, for example, the steps of:

step 301: a first key management center receives an encrypted data access request of a first client to a second client, which is sent by the first client, and sends the encrypted data access request to an authorization center; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client.

It can be understood that for a first client to access encrypted data in second client broadcast data through a corresponding chunk node, the first client first sends a first client to second client encrypted data access request to a first key management center. In order to solve the problem that the original encrypted data cannot be effectively protected and the encrypted data leakage risk is aggravated because the shared encrypted data and the encryption key are connected through P2P in the prior art, in this embodiment, the first key management center does not obtain the stored encrypted data and the encryption key used for decrypting the encrypted data, so that an authorization center for judging whether the second client authorizes the first client to have the encrypted access right is newly added for performing a subsequent encrypted access process, and the first key management center needs to send an encrypted data access request to the authorization center so that the authorization center performs the encrypted access right judgment based on the encrypted data access request.

It should be noted that, because the encryption key generated by the second key management center adopts the encryption key to obtain the first encrypted data and simultaneously generates the unique identifier as the encryption identifier, establishes the corresponding relationship between the encryption identifier and the first encrypted data and the encryption key, and subsequently transmits the encryption identifier to the first client, when the first client generates the access request of the first client to the encrypted data of the second client, the first client also carries the encryption identifier, so that the corresponding content can be subsequently obtained based on the encryption identifier. Therefore, in some embodiments of this embodiment, the encrypted identifier is a unique identifier generated by the second key management center and corresponding to each of the first encrypted data, the encryption key, and the encrypted data access request.

Step 302: and if the authorization center judges that the second client authorizes the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends the encrypted data access request to a second key management center.

It can be understood that, after the authorization center receives the encrypted data access request, based on the encrypted data access request including the first identity identifier and the encrypted identifier, it may be definitely required to determine whether the second client authorizes the first client to access the encrypted access right of the encrypted data. After determining the authorization, the encrypted data access request needs to be routed to the second key management center, since the authorization center also obtains the stored encrypted data and the encryption key used to decrypt the encrypted data.

It should be noted that the authorization of the first and second clients to encrypt the access right by the second client generally includes two manners, namely passive authorization and active authorization, which are specifically as follows:

firstly, passive authorization means that a second client processes an encrypted access permission request sent by a first client obtained through an authorization center, and a processing result is authorization and returns the processing result to the authorization center. Therefore, in some implementations of this embodiment, the encrypted access right is obtained by the authorization center receiving an encrypted access right request sent by the first client, sending the encrypted access right request to the second client, and returning the encrypted access right request to the authorization center after the authorization is processed by the second client.

Second, active authorization means that the second client actively sends an encrypted access right authorizing the first client to the authorization center. Therefore, in some implementations of this embodiment, the encrypted access right is obtained by the authorization center receiving that the second client actively sent by the second client authorizes the encrypted access of the first client.

It should be noted that, in some cases, the second client does not authorize the first client to access the encrypted access right of the encrypted data, in this case, the first client does not have the encrypted access right of the encrypted data of the second client, and the first client cannot access the encrypted data, that is, the authorization center cannot route and forward the encrypted data access request, but needs to deny the encrypted data access request. Therefore, in some embodiments of this embodiment, the method further comprises: and if the authorization center judges that the second client does not authorize the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center rejects the encrypted data access request.

Step 303: the second key management center obtains first encrypted data and an encryption key according to the encryption identifier, decrypts the first encrypted data by using the encryption key to obtain decrypted data, encrypts the decrypted data by using a first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center according to the first identity identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center.

It can be understood that, since the second key management center generates and stores the encryption key, and the first encrypted data is stored in the blockchain node corresponding to the second client, after the second key management center receives the encrypted data access request, first, the encryption key can be obtained based on the encryption identifier in the request; then, calling the block chain link point corresponding to the second client to obtain first encrypted data, wherein the specific process comprises the following steps: and the second key management center sends a first encrypted data acquisition request carrying an encrypted identifier to the block chain node corresponding to the second client, and the block chain node finds corresponding first encrypted data based on the encrypted identifier and returns the first encrypted data to the second key management center. After the first encrypted data and the encryption key are obtained, the first encrypted data is encrypted by the encryption key, so that the first encrypted data can be decrypted by the encryption key to obtain decrypted data, in order to guarantee the confidentiality of the data transmitted to the first key management center, and enable the first key management center to obtain the decrypted data without obtaining the encryption key, in the embodiment, the decrypted data cannot be directly transmitted after being obtained, but the decrypted data is encrypted again by the first public key generated by the first key management center to obtain second encrypted data so as to be transmitted to the first key management center.

It should be noted that the first public key may be generated by the first key management center and then sent to the second key management center in advance, or may be generated by the first key management center and then stored in the authorization center, and when accessing the encrypted data, the first public key is sent from the authorization center to the second key management center.

Step 304: the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

It can be understood that the first public key and the first private key are a pair of encryption keys generated and stored by the first key management center, and after receiving the second encrypted data obtained by encrypting the first public key, the first key management center can decrypt the second encrypted data by using the first private key stored by itself to obtain decrypted data, and finally return the decrypted data to the first client to complete the access of the first client to the second client encrypted data.

Through various implementation manners provided by the embodiment, the first key management center receives an encrypted data access request which is sent by the first client and comprises an encrypted identifier and a first identity identifier corresponding to the first client; sending an encrypted data access request to an authorization center; if the authorization center judges that the second client authorizes the encrypted access authority of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends an encrypted data access request to the second key management center; the second key management center obtains first encrypted data and an encryption key according to the encryption identifier, decrypts the first encrypted data by using the encryption key to obtain decrypted data, encrypts the decrypted data by using the first public key to obtain second encrypted data, and sends the second encrypted data to the first key management center according to the first identity identifier; the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain decrypted data, and sends the decrypted data to the first client. Therefore, the second key management center does not send the first encrypted data and the encrypted key to the first key management center any more, but utilizes the authorization judgment of the authorization center to improve the flexibility, timeliness and manageability of the authorization of the encrypted access authority, so that the original encrypted data is effectively protected on the premise that the encrypted data and the encrypted key are not shared among all participating bodies in a alliance chain, and the encrypted data leakage risk is reduced.

Referring to fig. 4, a flowchart of a method for accessing encrypted data in the embodiment of the present application is shown, and is applied to a first key management center. In this embodiment, the method may include, for example, the steps of:

step 401: receiving a data access request sent by a first client to a second client by the first client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client.

Step 402: sending the encrypted data access request to an authorization center, so that if the authorization center judges that the second client authorizes the encrypted access right of the first client corresponding to the encrypted identifier according to the first identity identifier, the authorization center sends the encrypted data access request to a second key management center, and the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encryption identifier, and the encryption key is generated and stored in advance by the second key management center.

Step 403: receiving second encrypted data sent by the first key management center according to the first identity; the second encrypted data is obtained by the second key management center decrypting the first encrypted data with the encryption key to obtain decrypted data, and encrypting the decrypted data with a first public key, which is generated and transmitted in advance by the first key management center.

Step 404: decrypting the second encrypted data according to a first private key symmetrical to the first public key to obtain the decrypted data, and sending the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

As can be seen from the foregoing embodiments, in some implementations of this embodiment, the encrypted identifier is a unique identifier generated by the second key management center and corresponding to each of the first encrypted data, the encryption key, and the encrypted data access request.

Referring to fig. 5, a flow chart of another method for accessing encrypted data in the embodiment of the present application is shown, which is applied to an authorization center. In this embodiment, the method may include, for example, the steps of:

step 501: receiving a data access request sent by a first key management center and sent by a first client and encrypted by the first client to a second client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client.

Step 502: if the encrypted access authority of the first client corresponding to the encrypted identifier is authorized by the second client according to the first identity identifier, sending the encrypted data access request to a second key management center, so that the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier, decrypting the first encrypted data by using the encrypted key to obtain decrypted data, encrypting the decrypted data by using a first public key to obtain second encrypted data, sending the second encrypted data to the first key management center according to the first identity identifier, so that the first key management center decrypts the second encrypted data according to a first private key symmetrical to the first public key to obtain the decrypted data, and sending the decrypted data to the first client; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, the first public key is generated and sent in advance by the first key management center, and the first private key is generated and stored in advance by the first key management center.

It should be noted that, when the authorization center is used as an execution subject, it generally implements that the second client authorizes the encrypted access right of the first client, and the two ways are specifically as follows:

the first one is passive authorization, that is, the authorization center obtains an encrypted access right request sent by the first client and forwards the encrypted access right request to the second client, and obtains an authorization processing result after the second client processes the encrypted access right request. Therefore, in some embodiments of this embodiment, the method further comprises:

step A: receiving an encrypted access permission request of the first client to the second client, which is sent by the first client;

and B: sending the encrypted access permission request to the second client;

and C: and receiving the encrypted access right sent by the second client after processing the encrypted access right authorization request.

The second is active authorization, that is, receiving the authorization sent by the second client actively, the first client encrypts the access right. Therefore, in some embodiments of this embodiment, the method further comprises: and receiving the encrypted access authority, which is actively sent by the second client, of the second client to authorize the encrypted access of the first client.

It should be noted that, in some cases, the second client does not authorize the first client to access the encrypted access right of the encrypted data, in this case, the first client does not have the encrypted access right of the encrypted data of the second client, and the first client cannot access the encrypted data, that is, the authorization center cannot route and forward the encrypted data access request, but needs to deny the encrypted data access request. Therefore, in some embodiments of this embodiment, the method further comprises: and if the encrypted access authority of the first client corresponding to the encrypted identifier is not authorized by the second client according to the first identity identifier, rejecting the encrypted data access request.

Referring to fig. 6, a schematic flowchart of another method for accessing encrypted data in the embodiment of the present application is shown, and is applied to the second key management center. In this embodiment, the method may include, for example, the steps of:

step 601: if the authorization center judges that the second client authorizes the encrypted access right of the first client corresponding to the encrypted identifier according to the encrypted data access request sent by the first key management center and from the first client including the first identity identifier and the encrypted identifier corresponding to the first client, the authorization center receives the encrypted data access request sent by the authorization center.

Step 602: obtaining first encrypted data and an encryption key according to the encryption identifier, decrypting the first encrypted data by using the encryption key to obtain decrypted data, and encrypting the decrypted data by using a first public key to obtain second encrypted data; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center.

Step 603: and sending the second encrypted data to the first key management center according to the first identity, so that the first key management center decrypts the second encrypted data according to a first private key which is symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client, wherein the first private key is generated and stored in advance by the first key management center.

Exemplary device

Referring to fig. 7, a schematic structural diagram of an encrypted data access system in an embodiment of the present application is shown. In this embodiment, the system may specifically include: a first key management center 701, an authorization center 702, and a second key management center 703;

the first key management center 701 is configured to receive an encrypted data access request, sent by a first client, from the first client to a second client, and send the encrypted data access request to an authorization center; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

the authorization center 702 is configured to determine, according to the first identity identifier, that the second client authorizes the encrypted access right of the first client corresponding to the encrypted identifier, and send the encrypted data access request to a second key management center;

the second key management center 703 is configured to obtain first encrypted data and an encrypted key according to the encrypted identifier, decrypt the first encrypted data with the encrypted key to obtain decrypted data, encrypt the decrypted data with the first public key to obtain second encrypted data, and send the second encrypted data to the first key management center according to the first identity identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center;

the first key management center 703 is further configured to decrypt the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and send the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

Optionally, the authorization center 702 is further configured to:

Referring to fig. 8, a schematic structural diagram of an apparatus for encrypted data access in an embodiment of the present application is shown, and is applied to a first key management center. In this embodiment, the apparatus may specifically include:

a first receiving unit 801, configured to receive an access request, sent by a first client, for a second client to encrypt data; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

a first sending unit 802, configured to send the encrypted data access request to an authorization center, so that if the authorization center determines, according to the first identity identifier, that the second client authorizes the first client to obtain an encrypted access right corresponding to the encrypted identifier, the authorization center sends the encrypted data access request to a second key management center, and the second key management center obtains first encrypted data and an encrypted key according to the encrypted identifier; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, and the encryption key is generated and stored in advance by the second key management center;

a second receiving unit 803, configured to receive second encrypted data sent by the first key management center according to the first identity; the second encrypted data is obtained by the second key management center decrypting the first encrypted data by using the encryption key to obtain decrypted data and encrypting the decrypted data by using a first public key, wherein the first public key is generated and sent by the first key management center in advance;

a decryption sending unit 804, configured to decrypt the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and send the decrypted data to the first client; the first private key is generated and stored in advance by a first key management center.

Referring to fig. 9, a schematic structural diagram of another apparatus for encrypted data access in the embodiment of the present application is shown, which is applied to an authorization center. In this embodiment, the apparatus may specifically include:

a third receiving unit 901, configured to receive an encrypted data access request, sent by a first key management center, from a first client to a second client; the encrypted data access request comprises an encrypted identifier and a first identity identifier corresponding to the first client;

a second sending unit 902, configured to send the encrypted data access request to a second key management center if it is determined, according to the first identity identifier, that the second client authorizes the encrypted access right of the first client corresponding to the encrypted identifier, enabling the second key management center to obtain first encrypted data and an encryption key according to the encryption identifier, decrypting the first encrypted data by using the encryption key to obtain decrypted data, encrypting the decrypted data by using a first public key to obtain second encrypted data, and to send the second encrypted data to the first key management center in accordance with the first identity, so that the first key management center decrypts the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, the first public key is generated and sent in advance by the first key management center, and the first private key is generated and stored in advance by the first key management center.

Optionally, the apparatus further comprises:

a fifth receiving unit, configured to receive an access permission request, sent by the first client, encrypted by the first client to the second client;

a fourth sending unit, configured to send the encrypted access permission request to the second client;

a sixth receiving unit, configured to receive the encrypted access permission sent by the second client after processing the encrypted access permission request.

Optionally, the apparatus further comprises:

a seventh receiving unit, configured to receive an encrypted access permission that is actively sent by the second client and granted to the first client for encrypted access by the second client.

Optionally, the apparatus further comprises:

and the rejecting unit is used for rejecting the encrypted data access request if the encrypted access authority of the first client corresponding to the encrypted identifier is not authorized by the second client according to the first identity identifier.

Referring to fig. 10, a schematic structural diagram of another apparatus for encrypted data access in the embodiment of the present application is shown, and is applied to a second key management center. In this embodiment, the apparatus may specifically include:

a fourth receiving unit 1001, configured to receive, if an authorization center determines, according to an encrypted data access request, sent by a first key management center, from a first client and received from a second client, that the first client includes a first identity identifier and an encrypted identifier corresponding to the first client, and when it is determined that the second client authorizes an encrypted access right of the first client corresponding to the encrypted identifier, the encrypted data access request sent by the authorization center;

an obtaining unit 1002, configured to obtain first encrypted data and an encryption key according to the encryption identifier, decrypt the first encrypted data with the encryption key to obtain decrypted data, and encrypt the decrypted data with a first public key to obtain second encrypted data; the first encrypted data is determined and returned by the block chain node corresponding to the second client based on the encrypted identifier, the encryption key is generated and stored in advance by the second key management center, and the first public key is generated and sent in advance by the first key management center;

a third sending unit 1003, configured to send the second encrypted data to the first key management center according to the first identity, so that the first key management center decrypts the second encrypted data according to a first private key symmetric to the first public key to obtain the decrypted data, and sends the decrypted data to the first client, where the first private key is generated and stored in advance by the first key management center.

The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The foregoing is merely a preferred embodiment of the present application and is not intended to limit the present application in any way. Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application. Those skilled in the art can now make numerous possible variations and modifications to the disclosed embodiments, or modify equivalent embodiments, using the methods and techniques disclosed above, without departing from the scope of the claimed embodiments. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present application still fall within the protection scope of the technical solution of the present application without departing from the content of the technical solution of the present application.

Claims

1. A method for accessing encrypted data, which is applied to an encrypted data access system, comprises the following steps:

2. The method according to claim 1, wherein the encrypted identification is a unique identification generated by the second key management center corresponding to each of the first encrypted data, the encryption key, and the encrypted-data access request.

3. The method according to claim 1, wherein the encrypted access right is obtained by the authorization center receiving an encrypted access right request sent by the first client, sending the encrypted access right request to the second client, and returning the encrypted access right request to the authorization center after the authorization is processed by the second client.

4. The method of claim 1, wherein the encrypted access right is obtained by the rights issuer receiving a request from the second client that the second client actively sends, that the second client authorizes the encrypted access of the first client.

5. The method of claim 1, further comprising:

6. A method for accessing encrypted data, applied to a first key management center, comprising:

receiving second encrypted data sent by the second key management center according to the first identity; the second encrypted data is obtained by the second key management center decrypting the first encrypted data by using the encryption key to obtain decrypted data and encrypting the decrypted data by using a first public key, wherein the first public key is generated and sent by the first key management center in advance;

7. The method according to claim 6, wherein the encrypted identification is a unique identification generated by the second key management center corresponding to each of the first encrypted data, the encryption key, and the encrypted data access request.

8. A method for accessing encrypted data, applied to an authorization center, comprising:

9. The method according to claim 8, wherein the encrypted identification is a unique identification generated by the second key management center corresponding to each of the first encrypted data, the encryption key, and the encrypted data access request.

10. The method of claim 8, further comprising:

sending the encrypted access permission request to the second client;

11. The method of claim 8, further comprising:

12. The method of claim 8, further comprising:

13. A method for accessing encrypted data, applied to a second key management center, comprising:

14. The method according to claim 13, wherein the encrypted identification is a unique identification generated by the second key management center corresponding to each of the first encrypted data, the encryption key, and the encrypted data access request.

15. An encrypted data access system, comprising: the system comprises a first key management center, an authorization center and a second key management center;

16. An apparatus for accessing encrypted data, applied to a first key management center, comprising:

a second receiving unit, configured to receive second encrypted data sent by the second key management center according to the first identity; the second encrypted data is obtained by the second key management center decrypting the first encrypted data by using the encryption key to obtain decrypted data and encrypting the decrypted data by using a first public key, wherein the first public key is generated and sent by the first key management center in advance;

17. An apparatus for accessing encrypted data, applied to an authorization center, comprising:

18. An apparatus for accessing encrypted data, applied to a second key management center, comprising: